User Guide
Synapse Yara Grid adds Storm commands for conducting file matching using the YARA tool. Additional Storm commands are also added for validating rules and analyzing a file against a set of rules.
Getting Started
Check with your Admin to enable permissions.
Examples
Validate a rule
For rules that are syntactically invalid, the Yara syntax error output would be printed.
> it:app:yara:rule#my.rules | yara.validate
it:app:yara:rule=01738b8891281132320801d2ef56f212
.created = 2024/04/09 16:55:42.878
:name = test.yara
:text = rule SimpleTestRule
{
meta:
author = "Vertex project"
strings:
$string0 = "key"
$string1 = "valu"
condition:
all of them
}
#my.rules
Match files against rules by tag
> file:bytes#my.files | yara.match --rules ${ #my.rules } --yield
it:app:yara:match=('01738b8891281132320801d2ef56f212', 'sha256:34549c8136bb1e0bc6de426202a4d93f59e479072d12eda6dc3841562240d606')
.created = 2024/04/09 16:55:45.737
:file = sha256:34549c8136bb1e0bc6de426202a4d93f59e479072d12eda6dc3841562240d606
:rule = 01738b8891281132320801d2ef56f212
:version = 0.0.0
Use of meta:source nodes
Synapse Yara Grid uses a meta:source node and -(seen)> light
weight edges to track nodes created by the power-up.
> meta:source=14b4a81b910d6cc5da902f6a072fcbc3
meta:source=14b4a81b910d6cc5da902f6a072fcbc3
.created = 2024/04/09 16:55:45.727
:name = synapse yara grid service
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse Yara Grid. The following example shows how to filter the results of a query to include only results observed by Synapse-Yara:
> it:app:yara:rule#my.rules -> it:app:yara:match +{ <(seen)- meta:source=14b4a81b910d6cc5da902f6a072fcbc3 }
it:app:yara:match=('01738b8891281132320801d2ef56f212', 'sha256:34549c8136bb1e0bc6de426202a4d93f59e479072d12eda6dc3841562240d606')
.created = 2024/04/09 16:55:45.737
:file = sha256:34549c8136bb1e0bc6de426202a4d93f59e479072d12eda6dc3841562240d606
:rule = 01738b8891281132320801d2ef56f212
:version = 0.0.0